[v8-dev] Merged r11907 into 3.11 branch. (issue 10640021)

Fri, 22 Jun 2012 08:22:00 -0700 

Reviewers: Toon Verwaest,

Description:
Merged r11907 into 3.11 branch.

Make near-jump check more strict in LoadNamedFieldPolymorphic on ia32/x64

BUG=134055

[email protected]
TEST=


Please review this at https://chromiumcodereview.appspot.com/10640021/

SVN Base: https://v8.googlecode.com/svn/branches/3.11

Affected files:
  M src/ia32/lithium-codegen-ia32.cc
  M src/version.cc
  M src/x64/lithium-codegen-x64.cc
  A + test/mjsunit/regress/regress-crbug-134055.js


Index: src/ia32/lithium-codegen-ia32.cc
diff --git a/src/ia32/lithium-codegen-ia32.cc b/src/ia32/lithium-codegen-ia32.cc index 7c9c88260657b0507ab8d9ccc8b8c9dd458ae9b1..2c6a916b04c1aa14a6165f829214161da009ce74 100644 
--- a/src/ia32/lithium-codegen-ia32.cc
+++ b/src/ia32/lithium-codegen-ia32.cc
@@ -2359,10 +2359,15 @@ void LCodeGen::EmitPushTaggedOperand(LOperand* operand) { 

 // Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
 // prototype chain, which causes unbounded code generation.
-static bool CompactEmit(
-    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
-  LookupResult lookup(isolate);
+static bool CompactEmit(SmallMapList* list,
+                        Handle<String> name,
+                        int i,
+                        Isolate* isolate) {
   Handle<Map> map = list->at(i);
+  // If the map has ElementsKind transitions, we will generate map checks
+  // for each kind in __ CompareMap(..., ALLOW_ELEMENTS_TRANSITION_MAPS).
+  if (map->elements_transition_map() != NULL) return false;
+  LookupResult lookup(isolate);
   map->LookupInDescriptors(NULL, *name, &lookup);
   return lookup.IsFound() &&
       (lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index ba5eced8efc1f51ae8e56e80a2634df810edf9c7..9b9c9beb259c4cdfb0e7aeead735e016309536f7 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     11
 #define BUILD_NUMBER      10
-#define PATCH_LEVEL       11
+#define PATCH_LEVEL       12
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: src/x64/lithium-codegen-x64.cc
diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index f62528e34a4513e4a6269ca2e5edf39806f7adee..7dc38a1429f8758e6abb5ae4eb84ec04d077d99b 100644 
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -2235,10 +2235,15 @@ void LCodeGen::EmitLoadFieldOrConstantFunction(Register result, 

 // Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
 // prototype chain, which causes unbounded code generation.
-static bool CompactEmit(
-    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
-  LookupResult lookup(isolate);
+static bool CompactEmit(SmallMapList* list,
+                        Handle<String> name,
+                        int i,
+                        Isolate* isolate) {
   Handle<Map> map = list->at(i);
+  // If the map has ElementsKind transitions, we will generate map checks
+  // for each kind in __ CompareMap(..., ALLOW_ELEMENTS_TRANSITION_MAPS).
+  if (map->elements_transition_map() != NULL) return false;
+  LookupResult lookup(isolate);
   map->LookupInDescriptors(NULL, *name, &lookup);
   return lookup.IsFound() &&
       (lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
Index: test/mjsunit/regress/regress-crbug-134055.js
diff --git a/test/mjsunit/regress/regress-2170.js b/test/mjsunit/regress/regress-crbug-134055.js 
similarity index 72%
copy from test/mjsunit/regress/regress-2170.js
copy to test/mjsunit/regress/regress-crbug-134055.js
index 01cb1eaf8f7b812429d4f36dee28b70f4af0b66d..9b658fb6f650f04520001f61f8e34d0202c5fb7d 100644 
--- a/test/mjsunit/regress/regress-2170.js
+++ b/test/mjsunit/regress/regress-crbug-134055.js
@@ -27,32 +27,37 @@

 // Flags: --allow-natives-syntax

-function array_fun() {
-  for (var i = 0; i < 2; i++) {
-    var a = [1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8];
-    var x = new Array();
-    x.fixed$length = true;
-    for (var j = 0; j < a.length; j++) {
-      x.push(a[j]);
-    }
-    for(var j = 0; j < x.length; j++) {
-      if (typeof x[j] != 'number') {
-        throw "foo";
-      }
-      x[j] = x[j];
-    }
-  }
+function crash(obj) {
+  return obj.foo;
 }

-try {
-  for (var i = 0; i < 10; ++i) {
-    array_fun();
-  }
-  %OptimizeFunctionOnNextCall(array_fun);
-  for (var i = 0; i < 10; ++i) {
-    array_fun();
+function base(number_of_properties) {
+  var result = new Array();
+  for (var i = 0; i < number_of_properties; i++) {
+    result["property" + i] = "value" + i;
   }
-} catch (e) {
-  assertUnreachable();
+  result.foo = number_of_properties;
+  return result;
 }

+var a = base(12);
+var b = base(13);
+var c = base(14);
+var d = base(15);
+
+crash(a);  // Premonomorphic.
+crash(a);
+crash(b);
+crash(c);
+crash(d);  // Polymorphic, degree 4.
+
+//Prepare ElementsKind transition map chain.
+var x = base(13);
+x[0] = "object";
+x = base(14);
+x[0] = "object";
+x = base(15);
+x[0] = "object";
+
+%OptimizeFunctionOnNextCall(crash);
+crash(a);


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to